[英]Is it possible for user to escape asp.net core's application folder?
For example file css.css
is accessible because it should be 例如,文件
css.css
是可访问的,因为它应该是
access url: 访问网址:
localhost:1234/css.css
本地主机:1234 / css.css
projects_folder
- application.dll
- wwwroot\css.css
but what about situation: 但是情况如何:
disk
secret_folder
- secret.txt
application_folder
- application.dll
- wwwroot\css.css
Can I safely assume that user is unable to this even with some tricks!
我可以安全地假设
even with some tricks!
用户也无法做到这一点even with some tricks!
: :
localhost:1234/../secret_folder/secret.txt
本地主机:1234 /../ secret_folder / secret.txt
in default ASP .NET Core's MVC template? 在默认ASP .NET Core的MVC模板中?
It depends on how the application is configured. 这取决于应用程序的配置方式。
In the default ASP .NET Core's MVC template you should have the following in your Startup.Configure to allow access to static files in the wwwroot folder: 在默认的ASP .NET Core的MVC模板中,您应该在Startup.Configure中包含以下内容,以允许访问wwwroot文件夹中的静态文件:
public void Configure(IApplicationBuilder app)
{
app.UseStaticFiles(); // For the wwwroot folder
}
The parameterless UseStaticFiles method overload marks the files in web root (wwwroot) as servable. 无参数的UseStaticFiles方法重载将Web根(wwwroot)中的文件标记为可服务。
In order to access static files outside of the web root you would be required to add further configuration, as described in the following link: 为了访问Web根目录之外的静态文件,您将需要添加进一步的配置,如以下链接中所述:
https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-2.1&tabs=aspnetcore2x https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-2.1&tabs=aspnetcore2x
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.